WordPress Plugin Vulnerabilities

Metform Elementor Contact Form Builder < 3.3.2 - Unauthenticated Permalink Structure Update

Description

The plugin does not properly implement capability checks on the permalink_setup function, leading to unauthorized permalink structure updates.

Affects Plugins

Plugin icon
metform
Fixed in 3.3.2

References

CVE
CVE-2023-1843
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/metform/metform-elementor-contact-form-builder-330-missing-authorization

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Marco Wotschka
Verified
No
WPVDB ID
68515f7c-db2d-415f-ad53-aba5b4ebceb8

Timeline

Publicly Published
2023-05-04 (about 2 years ago)
Added
2023-06-09 (about 2 years ago)
Last Updated
2023-06-09 (about 2 years ago)

Other

Published
Title
Published
2024-08-12
Title
Leopard - WordPress offload media <= 2.0.36 - Missing Authorization to Authenticated (Subscriber+) Settings Update
Published
2024-06-06
Title
GDPR/CCPA Cookie Consent Banner < 3.2.1 - Missing Authorization via handle_consent_toggle()
Published
2024-04-08
Title
Premmerce Product Filter for WooCommerce < 3.7.3 - Missing Authorization
Published
2025-12-15
Title
Read More & Accordion < 3.5.6 - Missing Authorization
Published
2024-06-06
Title
Clever Fox – One Click Website Importer by Nayra Themes < 25.2.1 - Missing Authorization to arbitrary theme activation via clever-fox-activate-theme